CVE-2024-45798
Severity CVSS v4.0:
Pending analysis
Type:
CWE-20
Input Validation
Publication date:
17/09/2024
Last modified:
20/09/2024
Description
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow (`GHSL-2024-169`) and environment Variable injection (`GHSL-2024-170`). These issue have been addressed but users are advised to verify the contents of the downloaded artifacts.
Impact
Base Score 3.x
9.90
Severity 3.x
CRITICAL
References to Advisories, Solutions, and Tools
- https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection
- https://github.com/espressif/arduino-esp32/blob/690bdb511d9f001e2066da2dda2c631a3eee270f/.github/workflows/tests_results.yml
- https://github.com/espressif/arduino-esp32/security/advisories/GHSA-h52q-xhg2-6jw8
- https://securitylab.github.com/research/github-actions-preventing-pwn-requests
- https://securitylab.github.com/research/github-actions-untrusted-input